Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach. Merchants can take advantage of this technology with a P2PE solution, a combination of secure devices, applications, and processes that encrypt payment card data from the point it is used at a payment terminal until it reaches a secure point of decryption. PCI P2PE Solutions are those that have been validated as meeting the rigorous security requirements of the PCI P2PE Standard and are listed on the PCI Security Standards Council (PCI SSC) website. PCI P2PE Solutions provide the strongest protection for payment card data and can simplify merchant efforts to comply with the PCI Data Security Standard (PCI DSS).
Recognizing that many merchants are not yet using PCI-listed solutions, however, the PCI SSC issued guidance in November 2016 to assist security assessors in evaluating non-listed account data encryption solutions and their impact on merchants’ PCI DSS compliance.
In this blog post, Chair of the PCI SSC P2PE Working Group, Mike Thompson, addresses some of the key questions the PCI SSC has received from assessors about non-listed encryption solution assessments.
What is a non-listed encryption solution assessment, or NESA?
Mike Thompson: A non-listed encryption solution assessment is a P2PE QSA’s evaluation of a solution providers’ non-listed encryption solution against the PCI P2PE Standard. The aim of a NESA is to identify and document the gaps between the solution and the PCI P2PE Standard and to show how use of the solution impacts a merchant’s PCI DSS assessment.
When is a NESA appropriate?
Mike Thompson: A NESA is intended for situations where an encryption solution that pre-dates the PCI P2PE Standard is in use by a merchant. Per the guidance, only a specially-trained P2PE QSA can conduct non-listed encryption solution assessments. A QSA can refer to the NESA done by a P2PE QSA to help with PCI DSS assessments for merchant environments using an associated non-listed encryption solution.
How does a NESA impact a merchant’s PCI DSS compliance responsibilities?
Mike Thompson: There is no guarantee that a NESA will result in fewer PCI DSS requirements for the users of the non-listed encryption solution. It is entirely possibly to have a NESA conducted for a solution and all PCI DSS requirements will still apply to the merchant environment. Only PCI P2PE Solutions can guarantee a reduction in PCI DSS requirements.
Why isn’t the NESA template available to QSAs?
Mike Thompson: As only P2PE QSAs can perform assessments using the PCI P2PE Standard, the NESA template is only relevant to them. P2PE QSAs can find the template on the PCI P2PE QSA portal. The Assessment Guidance for Non-Listed Encryption Solutions outlines everything a P2PE QSA needs to understand about documenting a NESA, and the template is just a format for completing the documentation.
If the Council recommends the use of PCI P2PE Solutions, why is it providing assessment guidance for non-listed encryption solutions?
Mike Thompson: First, to be clear, the PCI SSC does not endorse the use of non-listed encryption solutions. The PCI SSC continues to endorse the use of PCI-listed P2PE Solutions. Only PCI P2PE Solutions have been validated as fully meeting the PCI P2PE Standard for security and can ensure reduced PCI DSS validation effort.
With that said, there are solutions currently being used by merchants that pre-date the PCI P2PE Standard and are not PCI-listed. By acknowledging these solutions are out there, and providing guidance to P2PE QSAs for evaluating them against the standard, the PCI SSC is encouraging these solutions to remediate gaps and eventually undergo a PCI P2PE assessment for listing on the PCI SSC website.
Are there plans for a NESA program?
Mike Thompson: No. Again, the NESA is just a way for evaluating non-listed encryption solutions that do not meet the PCI P2PE Standard, but are being used by merchants anyway, so that all the parties involved in a merchant PCI DSS assessment understand how the use of a non-listed encryption solution impacts the merchant’s PCI DSS compliance responsibilities.
The intent and expectation is that solutions that undergo a NESA will remediate the gaps and then go through the validation process to be listed as a PCI P2PE Solution.
Why should solution providers bother validating P2PE solutions if non-listed solutions are still being used by merchants and assessed by P2PE QSAs?
Mike Thompson: This is actually a great question for the many PCI P2PE solution providers that have come over to the program in the last few months. It comes down to two key things – greater security assurance and simplified PCI DSS compliance. Only PCI P2PE Solutions are independently assessed by a P2PE QSA and validated per the PCI P2PE Standard and Program Guide to ensure the strongest protection for payment card data and to simplify PCI DSS efforts for merchants. The Council continues to encourage merchants and acquirers to use the PCI SSC listing in selecting a PCI P2PE Solution that meets their needs.